Community
Two factor authentication -- time synchronisation
Links used in this discussion
Peter Upfold,
User (Posts: 1)
Aug 09, 2022 8:31:58 am EDT
Support level: Free or trial
I have found that if there is any time discrepancy at all between host and viewer (or wherever else the two factor one-time codes are generated), the two factor code generated can be rejected by the host.
For example, if the current 30 second code expires in 2 seconds, but the host clock is 3 seconds ahead (so it believes this code has already expired), it will not accept the code. If the host and 2FA generator clocks are out by more than 30 seconds, it is not possible to sign in, as the codes will never overlap.
Would it be possible for some level of time skew to be accepted by the host to account for this -- I believe this is normally the case for TOTP 2FA systems.
For example, if the current 30 second code expires in 2 seconds, but the host clock is 3 seconds ahead (so it believes this code has already expired), it will not accept the code. If the host and 2FA generator clocks are out by more than 30 seconds, it is not possible to sign in, as the codes will never overlap.
Would it be possible for some level of time skew to be accepted by the host to account for this -- I believe this is normally the case for TOTP 2FA systems.

Pauline,
Support (Posts: 2912)
Aug 09, 2022 5:42:44 pm EDT
Hello Peter,
Thank you for your message.
Unfortunately, this is excepted behavior when using the two factor authentication feature. When using the 2FA, you need to make sure that the phone with the authenticator app and the Host PC both synchronize their time from an online source and that the Windows Time Service (w32tm) is set up correctly on the Host machine.
For more information please also refer to this KB page.
Pease let us know if you have more questions.
Thank you for your message.
Unfortunately, this is excepted behavior when using the two factor authentication feature. When using the 2FA, you need to make sure that the phone with the authenticator app and the Host PC both synchronize their time from an online source and that the Windows Time Service (w32tm) is set up correctly on the Host machine.
For more information please also refer to this KB page.
Pease let us know if you have more questions.
Scot Henry,
User (Posts: 2)
Feb 06, 2025 5:15:21 pm EST
Support level: Free or trial
Remote Utilities should also change the message that pops up after a user enters the TOTP where the time sync might be off. For example, I have users entering the TOTP, and if the time is not synced, the user gets taken to the password prompt with the notice that the password is incorrect. Well, the password IS correct, but the user starts entering a different password to try to correct the problem. They then call me, and I need to go in to 1.) fix their time sync problem, but also 2.) re-add the correct password. I don't want to give out the password, but being remote, I'm in an awkward position.

Pauline,
Support (Posts: 2912)
Feb 06, 2025 7:12:47 pm EST
Hello Scot,
Thank you for your message.
I will submit your feature request to our development department for a review to see if it’s possible to add this feature in one of the upcoming updates.
Let us know if you have more questions.
Thank you for your message.
I will submit your feature request to our development department for a review to see if it’s possible to add this feature in one of the upcoming updates.
Let us know if you have more questions.
* Website time zone: America/New_York (UTC -5)